Deployment Architecture

How do I give read-only access to the deployment server?

twinspop
Influencer

We have many group-admins that need to be able to check on their deployment clients, but I don't want to give them write access to the DS. I could give them all access to _internal and parse out phoneHome connections from there, trying my best to duplicate the DS interface. But is there a better way? I tried limiting their capabilities in a new role on the DS, but without admin, the Forwarder Management app isn't accessible.

Thanks,
Jon

0 Karma

twinspop
Influencer

Not pretty, but it's doing what I need: Provide hostname, IP, Last Phone Home time, phone home interval and (bonus) last time data was seen, if you have access to the indexes where data was written. It requires that you run it locally on the DS, or have the DS listed a search peer on the server you are searching on.

| rest splunk_server=deploymentserver /services/deployment/server/clients | 
fields hostname ip *Phone* | 
eval "Last Phone Home, Minutes Ago"=round((now()-lastPhoneHomeTime)/60,2) | 
fields - lastPhoneHomeTime | 
eval hostname=lower(hostname) |
join type=outer hostname [ | 
   metadata type=hosts index=*| 
   eval "Last Data, Hours Ago"=round((now()-lastTime)/60/60,2) | 
   table host, "Last Data, Hours Ago" | 
   rex field=host "(?<hostname>[^\.]+)" | 
   fields - host | 
   eval hostname=lower(hostname) ] | 
where isnotnull(ip) | 
fillnull value="no data, or index not available"
0 Karma

jkat54
SplunkTrust
SplunkTrust

Looks like every view of deployment clients requires List_deployment_server AND edit_deployment_server

Only way around would be a hack. You could go here:

$SPLUNK_HOME\etc\apps\search\default\data\ui\manager\

and edit deployment.xml, then remove AND edit_deployment_server from the following line

<read>list_deployment_server AND edit_deployment_server</read>

Save and restart ... After that folks with list_deployment_server should be able to see that view, but couldnt make edits. At least I believe that would work. It would be an unsupported hack for sure, and would change every time you upgrade/reinstall.

Another option is to give them read only access to this endpoint somehow, via scripting, etc.
localhost:8089/services/deployment//server/clients

twinspop
Influencer

Thanks for the hackerific solution. That might work for me (assuming it works at all :-). I've been toying with the REST endpoint. With 3000 clients it returns a metric ton of information. Will need to figure out how to present something similar to the DSM page from there.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...